
Description: Fix out-of-bounds buffer access (CVE-2012-4428)
 Fix handling of string-list in common/slp_common.c by not increasing
 the item pointer past the string-list pointer, and letting '\\' only
 escape the item separator ','.
Author: Guillem Jover <guillem@debian.org>
Origin: vendor
Bug: http://sourceforge.net/p/openslp/bugs/122/
Bug-Debian: https://bugs.debian.org/687597
Last-Update: 2014-07-25

Strangely nobody seems to have fixed this in openslp-2.0.0 ever. 
Patch forward-ported; one chunk isn't needed anymore as the code has been
independently rewritten. Andreas K. Hüttel <dilfridge@gentoo.org>


diff -ruN openslp-2.0.0.orig/common/slp_compare.c openslp-2.0.0/common/slp_compare.c
--- openslp-2.0.0.orig/common/slp_compare.c	2012-12-12 20:12:43.000000000 +0100
+++ openslp-2.0.0/common/slp_compare.c	2017-02-18 19:59:55.296473698 +0100
@@ -587,13 +587,10 @@
         /* seek to the end of the next list item */
         while(1)
         {
-            if(itemend == listend || *itemend == ',')
-            {
-                if(*(itemend - 1) != '\\')
-                {
-                    break;
-                }
-            }
+            if(itemend == listend)
+                break;
+            if(*itemend == ',' && *(itemend - 1) != '\\')
+                break;
 
             itemend++;
         }
@@ -683,9 +680,10 @@
       /* seek to the end of the next list item */
       while (1)
       {
-         if (itemend == listend || *itemend == ',')
-            if (*(itemend - 1) != '\\')
-               break;
+         if(itemend == listend)
+             break;
+         if(*itemend == ',' && *(itemend - 1) != '\\')
+             break;
          itemend++;
       }
 
